Documentation
¶
Overview ¶
CaMeL Bypass targets the CaMeL capability-based access control defense, which achieves 67% attack neutralization. This module exploits policy definition gaps and capability boundary weaknesses.
Source: arXiv 2503.18813
Package adaptive implements adaptive attacks that systematically bypass specific defense mechanisms through optimization strategies.
DiffusionAttacker uses diffusion-model-inspired iterative refinement to generate adversarial prompts. The approach iteratively adds and removes noise from prompts to discover variants that bypass safety filters.
Note: Full diffusion model integration requires the Python ML bridge. This module implements the iterative refinement algorithm in pure Go using text-level perturbation (no actual diffusion model required).
Source: EMNLP 2025
IterInject — feedback-optimized indirect prompt injection (arXiv 2605.24659).
Unlike jbfuzz/persona_evolve, which deliberately avoid LLM-driven mutation for cost, IterInject's defining mechanic IS an LLM optimizer: a rule-based diagnoser produces a structured outcome label per attempt, an optimizer refines the injection payload conditioned on the full attempt history, and a synthesis step derives new disguise seeds from failure patterns. The paper reports full success on 5/9 Claude Code targets.
Optimizer role: per the v0.12.0 plan (Resolved Question 2), the optimizer reuses the TARGET provider in a self-refinement loop — fitting the single- provider Execute signature and runnable against --provider=mock. Each iteration spends one optimizer query plus one attack query; both count toward the shared common.EngineBudget. Requires allow_experimental.
Package adaptive contains evolutionary / feedback-driven attack engines.
jbfuzz.go implements the JBFuzz black-box mutation/feedback fuzzer (arXiv 2503.08990, March 2026). Synonym-substitution is the primary mutation operator (462x faster than LLM mutation per the paper's §4.2); RefusalSuppression and Rephrase are tier-2 ops borrowed from TurboFuzzLLM (arXiv 2502.18504). Selection is UCB1 with periodic random restart — MCTS-Explore is on the v0.10.0 plan but UCB1+restart is sufficient to avoid the local-optima pathology GPTFuzzer documented for pure UCB.
Fitness is the refusal-heuristic by default (cheap, deterministic, fits in v0.9.0 with no new dependencies). Embedding-fitness is opt-in via metadata "fitness=embedding" (#170): it scores goal-relevance as the cosine similarity between the target response and the operator objective, embedded via a local Ollama-style embeddings endpoint (metadata "embedding_endpoint" / "embedding_model"). Opting in without a reachable endpoint yields a clean Skipped (SkipPreconditionFailed), never a crash.
Per the v0.9.0 plan, jbfuzz requires config.Metadata["allow_experimental"] = "true" because the engine *discovers* novel jailbreaks at runtime, which is fundamentally different from running a curated handcrafted attack.
persona_evolve.go implements the genetic-algorithm persona-modulation engine described in arXiv 2507.22171 ("Enhancing Jailbreak Attacks on LLMs via Persona Prompts"). Persona modulation reduces refusal rates by 50–70% per the paper; this engine evolves seed personas via tournament selection, uniform crossover over trait slots, slot mutation, 5% elitism, and periodic immigration to escape mode collapse.
Encoding rationale (struct-of-traits, not string templates) per Promptbreeder (ICLR 2024) and GAAPO (Frontiers AI 2025): string-template crossover produces ungrammatical offspring and converges slowly. The trait dictionary is encoded in templates/genetic_persona_seeds.json with stable slot keys (role / expertise / tone / motivation / constraints / backstory / traits / style / fitness_seed) so uniform crossover over slots always yields a syntactically valid persona.
Per the v0.9.0 plan, persona_evolve requires config.Metadata["allow_experimental"] = "true" because the engine discovers novel jailbreak personas at runtime.
SaltResistance implements anti-salting techniques that counter LLM Salting, a defense that reduces ASR to 3% by adding deployment-specific fine-tuning.
Source: Sophos CAMLIS 2025
Index ¶
- type CaMeLBypassModule
- func (m *CaMeLBypassModule) Category() common.AttackCategory
- func (m *CaMeLBypassModule) Description() string
- func (m *CaMeLBypassModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *CaMeLBypassModule) Name() string
- func (m *CaMeLBypassModule) Techniques() []common.TechniqueInfo
- type DefenseBypassOptimizerModule
- func (m *DefenseBypassOptimizerModule) Category() common.AttackCategory
- func (m *DefenseBypassOptimizerModule) Description() string
- func (m *DefenseBypassOptimizerModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *DefenseBypassOptimizerModule) Name() string
- func (m *DefenseBypassOptimizerModule) Techniques() []common.TechniqueInfo
- type DiffusionAttackerModule
- func (m *DiffusionAttackerModule) Category() common.AttackCategory
- func (m *DiffusionAttackerModule) Description() string
- func (m *DiffusionAttackerModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *DiffusionAttackerModule) Name() string
- func (m *DiffusionAttackerModule) Techniques() []common.TechniqueInfo
- type IterInjectModule
- func (m *IterInjectModule) Category() common.AttackCategory
- func (m *IterInjectModule) Description() string
- func (m *IterInjectModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *IterInjectModule) Name() string
- func (m *IterInjectModule) Techniques() []common.TechniqueInfo
- type JBFuzzModule
- func (m *JBFuzzModule) Category() common.AttackCategory
- func (m *JBFuzzModule) Description() string
- func (m *JBFuzzModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *JBFuzzModule) Name() string
- func (m *JBFuzzModule) Techniques() []common.TechniqueInfo
- type PersonaEvolveModule
- func (m *PersonaEvolveModule) Category() common.AttackCategory
- func (m *PersonaEvolveModule) Description() string
- func (m *PersonaEvolveModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *PersonaEvolveModule) Name() string
- func (m *PersonaEvolveModule) Techniques() []common.TechniqueInfo
- type SaltResistanceModule
- func (m *SaltResistanceModule) Category() common.AttackCategory
- func (m *SaltResistanceModule) Description() string
- func (m *SaltResistanceModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *SaltResistanceModule) Name() string
- func (m *SaltResistanceModule) Techniques() []common.TechniqueInfo
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CaMeLBypassModule ¶
type CaMeLBypassModule struct{}
CaMeLBypassModule targets CaMeL capability-based access control.
Source: arXiv 2503.18813
func (*CaMeLBypassModule) Category ¶
func (m *CaMeLBypassModule) Category() common.AttackCategory
func (*CaMeLBypassModule) Description ¶
func (m *CaMeLBypassModule) Description() string
func (*CaMeLBypassModule) Execute ¶
func (m *CaMeLBypassModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*CaMeLBypassModule) Name ¶
func (m *CaMeLBypassModule) Name() string
func (*CaMeLBypassModule) Techniques ¶
func (m *CaMeLBypassModule) Techniques() []common.TechniqueInfo
type DefenseBypassOptimizerModule ¶
type DefenseBypassOptimizerModule struct{}
DefenseBypassOptimizerModule implements systematic defense bypass through pluggable optimization strategies (random search, hill climbing, etc.).
WARNING: Requires --i-understand-risks flag. Logs all target information.
Source: OpenAI/Anthropic/DeepMind joint research 2025
func (*DefenseBypassOptimizerModule) Category ¶
func (m *DefenseBypassOptimizerModule) Category() common.AttackCategory
func (*DefenseBypassOptimizerModule) Description ¶
func (m *DefenseBypassOptimizerModule) Description() string
func (*DefenseBypassOptimizerModule) Execute ¶
func (m *DefenseBypassOptimizerModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*DefenseBypassOptimizerModule) Name ¶
func (m *DefenseBypassOptimizerModule) Name() string
func (*DefenseBypassOptimizerModule) Techniques ¶
func (m *DefenseBypassOptimizerModule) Techniques() []common.TechniqueInfo
type DiffusionAttackerModule ¶
type DiffusionAttackerModule struct{}
DiffusionAttackerModule implements iterative prompt refinement inspired by diffusion models. Uses text perturbation in pure Go; optional Python ML bridge for actual diffusion model integration.
Source: EMNLP 2025
func (*DiffusionAttackerModule) Category ¶
func (m *DiffusionAttackerModule) Category() common.AttackCategory
func (*DiffusionAttackerModule) Description ¶
func (m *DiffusionAttackerModule) Description() string
func (*DiffusionAttackerModule) Execute ¶
func (m *DiffusionAttackerModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*DiffusionAttackerModule) Name ¶
func (m *DiffusionAttackerModule) Name() string
func (*DiffusionAttackerModule) Techniques ¶
func (m *DiffusionAttackerModule) Techniques() []common.TechniqueInfo
type IterInjectModule ¶ added in v0.12.0
type IterInjectModule struct{}
IterInjectModule implements attacks.AttackModule for IterInject.
func (*IterInjectModule) Category ¶ added in v0.12.0
func (m *IterInjectModule) Category() common.AttackCategory
Category returns CategoryAdaptive.
func (*IterInjectModule) Description ¶ added in v0.12.0
func (m *IterInjectModule) Description() string
Description summarizes the technique.
func (*IterInjectModule) Execute ¶ added in v0.12.0
func (m *IterInjectModule) Execute( ctx context.Context, provider common.Provider, config common.AttackConfig, ) (*common.AttackResult, error)
Execute runs the feedback-optimized injection loop until a payload lands or the budget is exhausted.
func (*IterInjectModule) Name ¶ added in v0.12.0
func (m *IterInjectModule) Name() string
Name returns the registered technique name.
func (*IterInjectModule) Techniques ¶ added in v0.12.0
func (m *IterInjectModule) Techniques() []common.TechniqueInfo
Techniques returns the OWASP and metadata bundle.
type JBFuzzModule ¶ added in v0.9.0
type JBFuzzModule struct{}
JBFuzzModule implements attacks.AttackModule for the JBFuzz fuzzer.
func (*JBFuzzModule) Category ¶ added in v0.9.0
func (m *JBFuzzModule) Category() common.AttackCategory
Category returns CategoryAdaptive.
func (*JBFuzzModule) Description ¶ added in v0.9.0
func (m *JBFuzzModule) Description() string
Description summarizes the technique.
func (*JBFuzzModule) Execute ¶ added in v0.9.0
func (m *JBFuzzModule) Execute( ctx context.Context, provider common.Provider, config common.AttackConfig, ) (*common.AttackResult, error)
Execute runs the fuzzer against the provider until budget is exhausted or a candidate crosses the success threshold.
func (*JBFuzzModule) Name ¶ added in v0.9.0
func (m *JBFuzzModule) Name() string
Name returns the registered technique name.
func (*JBFuzzModule) Techniques ¶ added in v0.9.0
func (m *JBFuzzModule) Techniques() []common.TechniqueInfo
Techniques returns the OWASP and metadata bundle.
type PersonaEvolveModule ¶ added in v0.9.0
type PersonaEvolveModule struct{}
PersonaEvolveModule implements attacks.AttackModule for the GA engine.
func (*PersonaEvolveModule) Category ¶ added in v0.9.0
func (m *PersonaEvolveModule) Category() common.AttackCategory
Category returns CategoryAdaptive.
func (*PersonaEvolveModule) Description ¶ added in v0.9.0
func (m *PersonaEvolveModule) Description() string
Description summarizes the technique.
func (*PersonaEvolveModule) Execute ¶ added in v0.9.0
func (m *PersonaEvolveModule) Execute( ctx context.Context, provider common.Provider, config common.AttackConfig, ) (*common.AttackResult, error)
Execute runs the GA against the provider until budget is exhausted or a candidate crosses successThreshold (shared with jbfuzz).
func (*PersonaEvolveModule) Name ¶ added in v0.9.0
func (m *PersonaEvolveModule) Name() string
Name returns the registered technique name.
func (*PersonaEvolveModule) Techniques ¶ added in v0.9.0
func (m *PersonaEvolveModule) Techniques() []common.TechniqueInfo
Techniques returns the OWASP and metadata bundle.
type SaltResistanceModule ¶
type SaltResistanceModule struct{}
SaltResistanceModule implements anti-salting techniques that generate attacks dynamically rather than relying on pre-computed static prompts.
Source: Sophos CAMLIS 2025
func (*SaltResistanceModule) Category ¶
func (m *SaltResistanceModule) Category() common.AttackCategory
func (*SaltResistanceModule) Description ¶
func (m *SaltResistanceModule) Description() string
func (*SaltResistanceModule) Execute ¶
func (m *SaltResistanceModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*SaltResistanceModule) Name ¶
func (m *SaltResistanceModule) Name() string
func (*SaltResistanceModule) Techniques ¶
func (m *SaltResistanceModule) Techniques() []common.TechniqueInfo